Compliance Audit — 2026-04-17
This umbrella issue tracks all findings from the automated compliance audit run on 2026-04-17.
Findings are grouped by remediation category. Address each category together to avoid duplicate agent PRs.
Total findings: 83 across 7 repositories
Remediation Work Breakdown
Repository Settings (14 finding(s))
Remediation: apply-repo-settings.sh
Affected repos: .github, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
| Repo |
Check |
Severity |
.github |
allow_auto_merge |
warning |
.github |
delete_branch_on_merge |
warning |
ContentTwin |
allow_auto_merge |
warning |
ContentTwin |
delete_branch_on_merge |
warning |
markets |
allow_auto_merge |
warning |
markets |
delete_branch_on_merge |
warning |
google-app-scripts |
allow_auto_merge |
warning |
google-app-scripts |
delete_branch_on_merge |
warning |
broodly |
allow_auto_merge |
warning |
broodly |
delete_branch_on_merge |
warning |
bmad-bgreat-suite |
allow_auto_merge |
warning |
bmad-bgreat-suite |
delete_branch_on_merge |
warning |
TalkTerm |
allow_auto_merge |
warning |
TalkTerm |
delete_branch_on_merge |
warning |
Push Protection & Secret Scanning (16 finding(s))
Remediation: apply-repo-settings.sh (security_and_analysis) + per-repo ci.yml and .gitignore
Affected repos: .github, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
| Repo |
Check |
Severity |
.github |
security_and_analysis_unavailable |
warning |
.github |
secret_scan_ci_job_present |
error |
ContentTwin |
security_and_analysis_unavailable |
warning |
ContentTwin |
secret_scan_ci_job_present |
error |
markets |
security_and_analysis_unavailable |
warning |
markets |
secret_scan_ci_job_present |
error |
google-app-scripts |
security_and_analysis_unavailable |
warning |
google-app-scripts |
secret_scan_ci_job_present |
error |
google-app-scripts |
gitignore_secrets_block |
warning |
broodly |
security_and_analysis_unavailable |
warning |
broodly |
secret_scan_ci_job_present |
error |
broodly |
gitignore_secrets_block |
warning |
bmad-bgreat-suite |
security_and_analysis_unavailable |
warning |
bmad-bgreat-suite |
secret_scan_ci_job_present |
error |
bmad-bgreat-suite |
gitignore_secrets_block |
warning |
TalkTerm |
security_and_analysis_unavailable |
warning |
Repository Rulesets (2 finding(s))
Remediation: apply-rulesets.sh
Affected repos: ContentTwin, broodly
| Repo |
Check |
Severity |
ContentTwin |
required-claude-check-broken |
error |
broodly |
required-claude-check-broken |
error |
Workflows (14 finding(s))
Remediation: per-repo workflow additions
Affected repos: .github, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
| Repo |
Check |
Severity |
.github |
codeql-default-setup-not-configured |
error |
ContentTwin |
codeql-default-setup-not-configured |
error |
ContentTwin |
stray-codeql-workflow |
error |
markets |
codeql-default-setup-not-configured |
error |
markets |
stray-codeql-workflow |
error |
google-app-scripts |
codeql-default-setup-not-configured |
error |
google-app-scripts |
stray-codeql-workflow |
error |
broodly |
codeql-default-setup-not-configured |
error |
broodly |
stray-codeql-workflow |
error |
bmad-bgreat-suite |
codeql-default-setup-not-configured |
error |
bmad-bgreat-suite |
stray-codeql-workflow |
error |
TalkTerm |
missing-ci.yml |
error |
TalkTerm |
codeql-default-setup-not-configured |
error |
TalkTerm |
stray-codeql-workflow |
error |
Action SHA Pinning (36 finding(s))
Remediation: pin actions to SHA in each workflow file
Affected repos: .github, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
| Repo |
Check |
Severity |
.github |
unpinned-actions-agent-shield.yml |
error |
.github |
unpinned-actions-claude.yml |
error |
.github |
unpinned-actions-dependency-audit.yml |
error |
ContentTwin |
unpinned-actions-agent-shield.yml |
error |
ContentTwin |
unpinned-actions-claude.yml |
error |
ContentTwin |
unpinned-actions-dependabot-automerge.yml |
error |
ContentTwin |
unpinned-actions-dependabot-rebase.yml |
error |
ContentTwin |
unpinned-actions-dependency-audit.yml |
error |
markets |
unpinned-actions-agent-shield.yml |
error |
markets |
unpinned-actions-claude.yml |
error |
markets |
unpinned-actions-dependabot-automerge.yml |
error |
markets |
unpinned-actions-dependabot-rebase.yml |
error |
markets |
unpinned-actions-dependency-audit.yml |
error |
markets |
unpinned-actions-feature-ideation.yml |
error |
google-app-scripts |
unpinned-actions-agent-shield.yml |
error |
google-app-scripts |
unpinned-actions-claude.yml |
error |
google-app-scripts |
unpinned-actions-dependabot-automerge.yml |
error |
google-app-scripts |
unpinned-actions-dependabot-rebase.yml |
error |
google-app-scripts |
unpinned-actions-dependency-audit.yml |
error |
google-app-scripts |
unpinned-actions-feature-ideation.yml |
error |
broodly |
unpinned-actions-agent-shield.yml |
error |
broodly |
unpinned-actions-claude.yml |
error |
broodly |
unpinned-actions-dependabot-automerge.yml |
error |
broodly |
unpinned-actions-dependabot-rebase.yml |
error |
broodly |
unpinned-actions-dependency-audit.yml |
error |
broodly |
unpinned-actions-feature-ideation.yml |
error |
bmad-bgreat-suite |
unpinned-actions-agent-shield.yml |
error |
bmad-bgreat-suite |
unpinned-actions-claude.yml |
error |
bmad-bgreat-suite |
unpinned-actions-dependabot-automerge.yml |
error |
bmad-bgreat-suite |
unpinned-actions-dependency-audit.yml |
error |
TalkTerm |
unpinned-actions-agent-shield.yml |
error |
TalkTerm |
unpinned-actions-claude.yml |
error |
TalkTerm |
unpinned-actions-dependabot-automerge.yml |
error |
TalkTerm |
unpinned-actions-dependabot-rebase.yml |
error |
TalkTerm |
unpinned-actions-dependency-audit.yml |
error |
TalkTerm |
unpinned-actions-feature-ideation.yml |
error |
Dependabot Configuration (1 finding(s))
Remediation: per-repo .github/dependabot.yml
Affected repos: google-app-scripts
| Repo |
Check |
Severity |
google-app-scripts |
wrong-limit-npm |
warning |
Generated by the weekly compliance audit on 2026-04-17 13:37 UTC.
Address each remediation category as a single coordinated PR to avoid duplicate agent work.
Compliance Audit — 2026-04-17
This umbrella issue tracks all findings from the automated compliance audit run on 2026-04-17.
Findings are grouped by remediation category. Address each category together to avoid duplicate agent PRs.
Total findings: 83 across 7 repositories
Remediation Work Breakdown
Repository Settings (14 finding(s))
Remediation:
apply-repo-settings.shAffected repos: .github, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
.githuballow_auto_mergewarning.githubdelete_branch_on_mergewarningContentTwinallow_auto_mergewarningContentTwindelete_branch_on_mergewarningmarketsallow_auto_mergewarningmarketsdelete_branch_on_mergewarninggoogle-app-scriptsallow_auto_mergewarninggoogle-app-scriptsdelete_branch_on_mergewarningbroodlyallow_auto_mergewarningbroodlydelete_branch_on_mergewarningbmad-bgreat-suiteallow_auto_mergewarningbmad-bgreat-suitedelete_branch_on_mergewarningTalkTermallow_auto_mergewarningTalkTermdelete_branch_on_mergewarningPush Protection & Secret Scanning (16 finding(s))
Remediation:
apply-repo-settings.sh (security_and_analysis) + per-repo ci.yml and .gitignoreAffected repos: .github, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
.githubsecurity_and_analysis_unavailablewarning.githubsecret_scan_ci_job_presenterrorContentTwinsecurity_and_analysis_unavailablewarningContentTwinsecret_scan_ci_job_presenterrormarketssecurity_and_analysis_unavailablewarningmarketssecret_scan_ci_job_presenterrorgoogle-app-scriptssecurity_and_analysis_unavailablewarninggoogle-app-scriptssecret_scan_ci_job_presenterrorgoogle-app-scriptsgitignore_secrets_blockwarningbroodlysecurity_and_analysis_unavailablewarningbroodlysecret_scan_ci_job_presenterrorbroodlygitignore_secrets_blockwarningbmad-bgreat-suitesecurity_and_analysis_unavailablewarningbmad-bgreat-suitesecret_scan_ci_job_presenterrorbmad-bgreat-suitegitignore_secrets_blockwarningTalkTermsecurity_and_analysis_unavailablewarningRepository Rulesets (2 finding(s))
Remediation:
apply-rulesets.shAffected repos: ContentTwin, broodly
ContentTwinrequired-claude-check-brokenerrorbroodlyrequired-claude-check-brokenerrorWorkflows (14 finding(s))
Remediation:
per-repo workflow additionsAffected repos: .github, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
.githubcodeql-default-setup-not-configurederrorContentTwincodeql-default-setup-not-configurederrorContentTwinstray-codeql-workflowerrormarketscodeql-default-setup-not-configurederrormarketsstray-codeql-workflowerrorgoogle-app-scriptscodeql-default-setup-not-configurederrorgoogle-app-scriptsstray-codeql-workflowerrorbroodlycodeql-default-setup-not-configurederrorbroodlystray-codeql-workflowerrorbmad-bgreat-suitecodeql-default-setup-not-configurederrorbmad-bgreat-suitestray-codeql-workflowerrorTalkTermmissing-ci.ymlerrorTalkTermcodeql-default-setup-not-configurederrorTalkTermstray-codeql-workflowerrorAction SHA Pinning (36 finding(s))
Remediation:
pin actions to SHA in each workflow fileAffected repos: .github, ContentTwin, TalkTerm, bmad-bgreat-suite, broodly, google-app-scripts, markets
.githubunpinned-actions-agent-shield.ymlerror.githubunpinned-actions-claude.ymlerror.githubunpinned-actions-dependency-audit.ymlerrorContentTwinunpinned-actions-agent-shield.ymlerrorContentTwinunpinned-actions-claude.ymlerrorContentTwinunpinned-actions-dependabot-automerge.ymlerrorContentTwinunpinned-actions-dependabot-rebase.ymlerrorContentTwinunpinned-actions-dependency-audit.ymlerrormarketsunpinned-actions-agent-shield.ymlerrormarketsunpinned-actions-claude.ymlerrormarketsunpinned-actions-dependabot-automerge.ymlerrormarketsunpinned-actions-dependabot-rebase.ymlerrormarketsunpinned-actions-dependency-audit.ymlerrormarketsunpinned-actions-feature-ideation.ymlerrorgoogle-app-scriptsunpinned-actions-agent-shield.ymlerrorgoogle-app-scriptsunpinned-actions-claude.ymlerrorgoogle-app-scriptsunpinned-actions-dependabot-automerge.ymlerrorgoogle-app-scriptsunpinned-actions-dependabot-rebase.ymlerrorgoogle-app-scriptsunpinned-actions-dependency-audit.ymlerrorgoogle-app-scriptsunpinned-actions-feature-ideation.ymlerrorbroodlyunpinned-actions-agent-shield.ymlerrorbroodlyunpinned-actions-claude.ymlerrorbroodlyunpinned-actions-dependabot-automerge.ymlerrorbroodlyunpinned-actions-dependabot-rebase.ymlerrorbroodlyunpinned-actions-dependency-audit.ymlerrorbroodlyunpinned-actions-feature-ideation.ymlerrorbmad-bgreat-suiteunpinned-actions-agent-shield.ymlerrorbmad-bgreat-suiteunpinned-actions-claude.ymlerrorbmad-bgreat-suiteunpinned-actions-dependabot-automerge.ymlerrorbmad-bgreat-suiteunpinned-actions-dependency-audit.ymlerrorTalkTermunpinned-actions-agent-shield.ymlerrorTalkTermunpinned-actions-claude.ymlerrorTalkTermunpinned-actions-dependabot-automerge.ymlerrorTalkTermunpinned-actions-dependabot-rebase.ymlerrorTalkTermunpinned-actions-dependency-audit.ymlerrorTalkTermunpinned-actions-feature-ideation.ymlerrorDependabot Configuration (1 finding(s))
Remediation:
per-repo .github/dependabot.ymlAffected repos: google-app-scripts
google-app-scriptswrong-limit-npmwarningGenerated by the weekly compliance audit on 2026-04-17 13:37 UTC.
Address each remediation category as a single coordinated PR to avoid duplicate agent work.